IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 23 May 2023 14:33 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057A7C151073 for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 07:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FUZZY_CPILL=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rhAws6Ayico for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 07:33:47 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on20703.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8a::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8B2C15106C for <spasm@ietf.org>; Tue, 23 May 2023 07:33:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M4Vgdb8BXntIaiNZT03ajWXD9xFLcDLgSg1nTDyNaojMfJ5fuCnAG9hsnq1LRoYVIRzpH7aIx5EhCTOGzeddaBCK0DZHUZo4La+muOPiAIfX57VA6Ugb8PuW9DyLLdKRnNDQXXHNDudd7YtTMU+/dPEnteiaCrxeOVC79Z6b+2xZjpbrORFfIaeDGP8pqfi4xBOgQgqXWiMscfe5bIjMqcjjsfMAd5KeA9/2+5S+dxFvU3diIi7joq2A8dLokCBk6sfLFWtLVtjz3El2wwWNZhkIEiYHJf4Ul4YNcKLToWXkiRkj0yuV7SXXQEO2RhMGm1S5rKSZKRGANLb48xa3XQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UQ5K0d7mUNOtpbLOaWtz/Py/745Qv+sZzXS5IUyLiNM=; b=bBZWas/Svz9VL5UEHSI83S1hJ4URSx16g2hCYCv8h+k472wb5yXmfup4paL7qRuEgy/TrmQA+ySaqAblt4Mc+36NmP7kOfTkhr53ZLVWsRNbbn2/CUADGeAQFskQ3u4PCbqhQYgSCPN4tqjCKoPflNjIUpxjaLAUbDsOTvA84n5Oc5TKE9c0qvJPvk77dEXbE8tqcU+uEgSc/VizolqKALZqp3Gejj1TxgUdtQKDJI1+y7GznMSfX61O0GLu2AiqtMHRrGjf9Rc4nAfZufdBWGtXEQhf0ql/i8eclkzvVTN/sjADe6lRDvo8vRT4N6OXnGlqYffANPU85bo8auRM4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UQ5K0d7mUNOtpbLOaWtz/Py/745Qv+sZzXS5IUyLiNM=; b=CDedenAbMptCtsuYhqYS1ySokVealZwoa/bwEMuVty5qD2MKOxnRxhc2EXVWWCdt56HWjr2lx5I884+x8+SKS/rdAZQ3P9hXlMt1wVKHA9PBw2+s2127MlMV/hxTnuYoRUNJznfTFogjy2wnGfAZiGDa0votGA3jk2ewNN+tAI+bkk5ZHXK1IbIKL6zKV5s5zSeOy6nqZa6E1vXkkMApn9BhlrC/0ZAdiLgg3hzx1qP6JB+6vKNfhSmijLt/E5uupn4jIv8GBHDGMc3nRoi3bn9jOUgb7kJehpKYMsDGuCUkwYMgfUPo/R9BW6isdurZ+fFhyMGOdAgUIKkZ+Ix2dQ==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by MN2PR14MB4078.namprd14.prod.outlook.com (2603:10b6:208:199::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 14:33:42 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b%5]) with mapi id 15.20.6411.028; Tue, 23 May 2023 14:33:41 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Deb Cooley <debcooley1@gmail.com>
CC: 'LAMPS' <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
Thread-Index: AQHZjN/2vyjwS6ChSEyYC7bKK0tKWa9mpePQgAESq4CAABQOoIAAH+qA
Date: Tue, 23 May 2023 14:33:41 +0000
Message-ID: <SN7PR14MB64927C90A79DA3837C246A4283409@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com> <CAGgd1OcKA4gU0GBPwNar5gmh4tGtfneWjH624T6OoDRp8ODXFA@mail.gmail.com> <CH0PR11MB573907B8BDE80A42202289619F439@CH0PR11MB5739.namprd11.prod.outlook.com> <CAGgd1OeBza=6PPda6N9utHMX+6xP9DVn7D5_ZxVdsN07RKfHzQ@mail.gmail.com> <CH0PR11MB5739CB5F2027A11A21D3CC2A9F409@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739CB5F2027A11A21D3CC2A9F409@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|MN2PR14MB4078:EE_
x-ms-office365-filtering-correlation-id: a45f7aad-1e2a-44e4-c0dd-08db5b9ab488
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: abP/g+gAssqt9sISPYoS2C/q28Bb2e01gjPaorObVObrNuAglBeWHG8CHrvzhcc45D+i2+xbV8utr77BBQuyotSDyR7HmzGwOQ/IAR6CT2gf6ANMDdS+YRptntMmB6UH+d6TzI3R7abqoUB7ix8xwB1+R4G+5sCS/q0unyNWBNqaQaao5Um91zU4x7nDph3U9uGczxVAZIfhZWdO+C+5XbYDSYh3bGMMv73aljJVTIHXK2ys4WP+mthHgEH8MQYljXtOq1+BZMotNFvsWGEaQhakybD0uNgfI6GC0lqn7qjJ81+0y8QNRGK9fYSjwb9/30nvbkfdkbz+XDf2rZGDtQf2XZekpzq2tno5BA7mdjCwCnejZpw8QJ26cdG8tjpDt1keW1CPyS19WDxRflesfLvrN60uTa6Bb92EeWhglUYoMDqO8VM/9GEXjdG2uFEZqJNz4/jg/hIF+ReDG5jMrrY0DiKA1G59IReP6FeRTlXP4r0HIURnJia69tPeyruGsFzEgGSo0DJb8dKLR9B3wX6idkKmNn+3QB0XsvevT70LVm+DZg7oa6e1z8VW8WxsTCS7DIlHjG8wONbOW5/zrfFnEaqff8/P/GU5Ov5X6zs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(346002)(136003)(376002)(396003)(39860400002)(451199021)(83380400001)(8676002)(8936002)(52536014)(44832011)(5660300002)(21615005)(9686003)(26005)(6506007)(53546011)(166002)(86362001)(186003)(122000001)(38100700002)(38070700005)(33656002)(55016003)(71200400001)(478600001)(966005)(66946007)(7696005)(316002)(4326008)(41300700001)(66476007)(64756008)(110136005)(66446008)(66556008)(2906002)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: YzpBImcfKg9TCGpZXISvl6JSDJgSY/5WDUmBA8wz6ZwTQvq72RkeMIMTyV75ffDJTv2cs1SqfNyrDvT2kelwLNA/GiwWFGeNwS3ge4j3trEXEYSeMV1bymLMj2ZPApTr572dS6AnmfLDxtdOOrYbRy/QBYDh0Tzin0G9MomB5lY1Fgwr6pW6/HulEWqZc02CVMF4rBMdXJZA8uR6uGxwuX0M4rxsVrPDF3HHM9v34MsKOUb0GN9TjJzF5XELk+vutDtNfsWMHR9nAqGD7ADzCe+osM4O+PBWk9aRq4gr8cExTW3uuyEs3wkxJ6jNI0NCl7ZFmgd7SSuYGM7CODIFI8lBn4Y0bQvsWiK+HrQ6T5k8K4CprwGWzG6Hb5v+qKSH5EDC+P2Pugv4MJ1GOLNLsy6mahfgxQg8Q0REi7q+vfW/ms27RamZ7OqK3GHV5heLF6K5g+IkwcuLwlzX9PAcHvc3V+cqGrBpMQR7mhR86tLyEtCbryZUg16ryaomphM6gfhAiOqIikgx2ZBiBQ1grFn1yxrn9guDjaj9/TSrzKDD0Yacc87kPzotV4qL6reF/M0TCjBBoMvWQdzx0fLGsujZ07IRLV/1NaS3R0P6KOtqOHh+qFse3EGXtedmCRgCQzbNXpu0RIkRT6V+T7AxuCw4mGqEVWrF13wALI7px4RoVyp7TWl392+YIeDEUY3i8B2ZAoYDBR7Dd2EnB93flG8hhZG9/eBgA4SSFurP7Cil2e7dTR5mSxQJQpErVARVbe/L1v5VMH+vOV387RRyW4ys7/z3vQ7kriusaD9Lf43jCwiz5v/NfCX2AtBLFaoqUgAhATNYlFfaFSBpGL5GzBGillu9OAVYUhTYj3tQdZ4cexfIdF/MuDrox+NQ+xaJb1DAWCY0by0dTZNMo5XtaqMHRwLEfjaGU+H0GV1XXR7MBr2EZhkUGa2LcrocZABr5637j6E6t/3YELWzAssiOcNghkqzvtmMUm7TWgDppA2IaVxxvxc1YL62mGNMZhXt7MjxQ1Pd0HoNFBu3KKLOuVJPUOdu60Ez7QBQz5deUSaW4wVhb8aGJGINBnStVa3dojnBn1pU+7VtPjGdaf6VcWChb9j6ep5UbWXMSiC/HmuK/RV8z0IxNM2AFaQcc+FE22BAy6YxHuwWwK9d+QO0F4cuSPSrx8h6JfE70C1ghoxmifzjLjpf9XMlrPCG1/A5waEHi8IZJzwoPi5Pnf7Ma2vLulEptg5bbfoTIjjpTUFYybwJgog8Z8sCMbdc9H6oAUX/G/P30P7UrSI1E8pcZr7gINLWnbpfEzkLaZ5dN3VT5HuTqfTqrT1jIDZC/2CZHpSPVaqq97AiGFRqKd90N519Q2aDTcSk2+YTzPUgxPU55zeB631csZQVKM7nWOZsA96LYx0lMADEC32g4xXpPg7wp9+Z2B8NqPsyJhGrzZk2AMqFGzxKpru/j0hDbxJ++SwjX7ZkKgaJluxcM/CLqJstzoE8jXhrg3+msUWjkI32e7TNSvfUtQhMddGtdE8DhC/iUJQQJPuUJJqMcXOA46nGNF33odVqkkl9NmK4HvnN50D39pdyzbYhf44dn4xS2W17i3pZnReW6TpZlKACgQ==
Content-Type: multipart/alternative; boundary="_000_SN7PR14MB64927C90A79DA3837C246A4283409SN7PR14MB6492namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a45f7aad-1e2a-44e4-c0dd-08db5b9ab488
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 14:33:41.4773 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uR2LOJfr/rEMr6YFIl+LhWehTFzHctV3b1n0PXfWyKWV6o4lDbVzzvVCHbM7z+jkAj2jgCycsfbM15itDDN48RgTK2xKB+9vqPERY5yahj4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR14MB4078
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/4ggcD-RoqGlirLwuvt0zYvu6VQ8>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 14:33:51 -0000

Mike,

The OCSP nocheck extension is not particularly carefully standardized, which has already caused a major security incident which I would have thought you were aware of.  The drama started here if you weren’t following:

https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13493.html

I would strongly suggest not attempting to use that extension for anything else.  If anything, the relevant language around its intended use probably needs more careful consideration and guardrails.  Overloading it with new meanings or attempting to extend it is likely to end very badly.

-Tim

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Tuesday, May 23, 2023 8:41 AM
To: Deb Cooley <debcooley1@gmail.com>
Cc: 'LAMPS' <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Deb,

> I would not use an extension that clearly states 'OCSP nocheck' for something that isn't OCSP.  It leads to confusion at a minimum.

I’m not the one petitioning here, but I’ll play devil’s advocate. I don’t think that’s quite the right argument. If I have an EE cert for which I know there is no OCSP info available and I want an extension to state that explicitly. That’s clearly OCSP-related, so why is “OCSP nocheck” not appropriate?

I was hoping that 6960 would have strong language about whether id-pkix-ocsp-nocheck is or is not allowed in EE certs, but didn’t find it.

---
Mike Ounsworth

From: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Tuesday, May 23, 2023 6:25 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

The fact that the extension says 'OCSP' in it  and is defined in the OCSP RFC should be enough of a clue.

I would not use an extension that clearly states 'OCSP nocheck' for something that isn't OCSP.  It leads to confusion at a minimum.  The spider web of RFCs is already confusing enough in this space.

Obviously only my opinion.
Deb

On Mon, May 22, 2023 at 3:02 PM Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>> wrote:
Thanks Deb,

> Please don't overload the OCSP no check extension.  That extension is only for OCSP certs to avoid a circular loop.    Not for end entity certificates.

My question is whether that is sufficiently well-stated in 6960?

---
Mike Ounsworth

From: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Monday, May 22, 2023 2:01 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>
Cc: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

I haven't read this whole chain, but my ears perked up when this extension was mentioned.

Please don't overload the OCSP no check extension.  That extension is only for OCSP certs to avoid a circular loop.    Not for end entity certificates.

Care needs to be taken here to avoid unintended consequences.  Jumping up to implement the first idea is seldom wise.

On Sun, May 21, 2023 at 1:16 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Mike:

Interesting


RFC6960, section “4.2.2.2.1<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6960*section-4.2.2.2.1__;Iw!!FJ-Y8qCqXTj2!eN1XFIDygllmXhilJYCiPQPWDVICeaJUQVQ_XzxdZXSelYUNxb11J1RK7WAkEQTyrVPJFpUwwRo-KH4NN3r4ikEP$>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eN1XFIDygllmXhilJYCiPQPWDVICeaJUQVQ_XzxdZXSelYUNxb11J1RK7WAkEQTyrVPJFpUwwRo-KH4NN5nDwkC9$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email